Follow:

Vulnerability:Win/MediaPlayer.Skin.RCE!CAN-2003-0228

Severity rating
Critical

Class/Type
Vulnerability

Discovered date
2003-05-07T00:00:00

Attack vector
Remote

Authentication required
No

Public exploits available
Yes

Signature detection
Medium



On this page




Description

Microsoft Windows Media Player provides functionality to change the overall appearance of the player itself through the use of "skins". Skins are custom overlays that consist of collections of one or more files of computer art, organized by an XML file. The XML file tells Windows Media Player how to use these files to display a skin as the user interface. In this manner, the user can choose from a variety of standard skins, each one providing an additional visual experience. Windows Media Player comes with several skins to choose from, but it is relatively easy to create and distribute custom skins.



Impact

This vulnerability could enable an attacker to place a file of their choice into a known or predetermined location on the user's machine. If the file was then made to run, it could take any action desired by the attacker, in the context of the user's privileges on that machine. Any limitation of the user's permissions on the machine would also be applied to the attackers program.



Technical details (analysis)

The vulnerability results because Windows Media Player 7.1 and Windows Media Player for XP do not correctly validate inputs when a skin file is being downloaded. Normally a skin file is downloaded to the Temporary Internet Files Folder and then copied into another non-predictable location. However the flaw permits a skin file - or a file masquerading as a skin - to be downloaded and copied into a predictable location. An attacker could seek to exploit this vulnerability by creating a specially crafted URL that, when accessed, would cause a file to be downloaded and copied to a location of the attacker's choosing. For example, if an attacker knew the location of the "Startup" folder on a user's machine, he may be able to cause the file to be downloaded directly into that folder. Because programs contained in the "Startup" folder automatically run when the machine starts up, an attacker could use this method to cause a malicious program or script to run on the machine.



Affected software

Microsoft Windows Media Player 7.1
Microsoft Windows Media Player for Windows XP (Version 8.0)



Non-affected software

All applications not on the affected list.



References




Solutions




NIS signature

Name: Vulnerability:Win/MediaPlayer.Skin.RCE!CAN-2003-0228
Release Date: 2003-05-07T00:00:00



Known false positives

No known false positives at this time.



Work-arounds

There are no known workaround.